The Anti-Phishing Working Group (APWG) is reporting a record number of legitimate "brands" were hijacked in July 2006.

The group is reporting 154 banks, financial companies, electronic retailers, or other organizations had their brands hijacked through phishing in July 2006 - a new record. They also report to have found 23,670 total phishing websites used to commit identity theft, fraud and other malicious activity in July 2006. This number is second only to the record 28,571 phishing sites found in June 2006, and is nearly double the 14,135 phishing sites found in July 2005. Of these sites, 14,191 are considered "new" phishing sites, compared to just 4,564 new sites found one year prior, in July 2005.

The report (PDF) was released on September 11, and also includes statistics on the average time online for a phishing site (4.8 days), the number of phishing sites referenced only by IP address instead of a domain name (42%), and the country with the largest number of malicious phishing sites (the United States, with approximately 30% of all phishing sites).

The report analyzes the rapidly growing trend of phishing as a common way to steal banking and financial information from uninformed victims. Most phishing messages are sent by e-mail, a transport protocol known as SMTP that has changed little since 1982. The phishing e-mails are sent using spam distribution methods and employ social engineering to convince a user to visit a fake website and divulge private information. A number of phishing websites are in fact legitimate servers that were compromised through software vulnerabilities, exploited by hackers and covertly turned into illegal phishing sites - making the hackers more difficult to track.

The Anti-Phishing Working Group focuses on eliminating fraud and indentity theft associated with e-mail based phishing scams. Its membership includes over 1,500 organizations, eight of the top ten U.S. banks, and four of the top five U.S. ISPs.